--- begin forwarded text Date: Mon, 16 Jun 1997 18:24:32 -0500 From: Bill GL Stafford <springco@arn.net> Organization: Spring Management Company MIME-Version: 1.0 To: "dcsb@ai.mit.edu" <dcsb@ai.mit.edu> Subject: More about Netscape Bug finder X-Priority: 3 (Normal) Sender: bounce-dcsb@ai.mit.edu Precedence: bulk Reply-To: Bill GL Stafford <springco@arn.net> Christian Orellana, gambled $1000 and lost. Not the worst thing he could have done. Now the world knows how Netscape approaches a potential crisis. They did not panic although they may have come close to it. I've seen that much lost in a cloak room with a pot not near as big as Christian sought. Anyway you look at it it's just a roll of the dice.Bill GL Stafford springco@arn.net Wired Magazine on web An Email Trail from Bug Spotter to Netscape 6:01pm 13.Jun.97.PDT The following is a copy of the email exchange between Netscape officials and Christian Orellana, the Danish consultant who found the Netscape Navigator bug. A copy of the text was provided to Wired News by Netscape and appears unedited. Wired News has chosen not to publish Orellana's email address. Subject: Major security bug in Netscape Navigator 3 and 4 Date: Mon, 9 Jun 1997 19:19:13 +0200 From: Christian Orellana To: stracy@netscape.com Hello! We have discovered a major security bug in Netscape Navigator 3.0, which remains uncorrected in the new Communicator release. The bug affects Navigator running on all platforms in the standard configuration. The bug allows access to any file on the clients file system, and does not affect Microsoft Internet Explorer. This bug is potentially very interesting to Netscape considering that the new release of Navigator is due in just three days. The bug has not previously been reported, and remains unknown to anyone but us (to the best of our knowledge). Please get back to us a.s.a.p. (before Netscape DevCon) if this knowledge is of any interest to you. You can reach me at the phone number below. I have tried to reach Netscape for a while now, and if Netscape remains uninterested in the issue I may contact some other interested parties. Yours sincerely, Christian Orellans [sic] --- Subject: Please confirm Date: Mon, 9 Jun 1997 20:14:08 +0200 From: Christian Orellana To: stracy@netscape.com Hello! Could you please confirm that you have received my previous letter. Also I would like to restate my claim that this is of the utmost importance for the upcoming launch of Communicator. The bug allows complete read access to the clients hard disk. Christian Orellana. --- Subject: Re: [Fwd: Major security bug in Netscape Navigator 3 and 4] Date: Mon, 09 Jun 1997 11:51:04 -0700 From: edithg@netscape.com (Edith Gong) Organization: Netscape Communications To: Shannon Tracy , lalam@netscape.com References: <339C3C32.FE3F5683@netscape.com> Shannon, I don't know what else to do. Can someone in DSE contact this person to get the details by phone. We can't investigate until we understand what the issue is. I'll see if someone in tech support can contact the customer Edith --- Subject: Re: Please confirm Date: Mon, 09 Jun 1997 12:00:03 -0700 From: Shannon Tracy Organization: Netscape Communications To: Christian Orellana References: Dear Christian Orellana: Yes, I received your message. The project manager just responded that they are trying to find someone to contact you, however, we can't investigate until we understand what the issue is. Can you please furnish a few additional details so that we know who best might be able to handle this situation? Thanks, Shannon Tracy --- Subject: Re: Please confirm Date: Mon, 9 Jun 1997 21:11:44 +0200 From: Christian Orellana To: stracy@netscape.com (Shannon Tracy) References: Dear Shannon. In short the first version of the bug I had up and running allowed me to get any file whose path I knew on the clients hard disk. I just got another version up and running, and considering that the location of quite a few files on a typical windows/mac/unix installation is pretty well known, it should be no surprise that this new version can actually scan the clients harddisk for specific files, and download them. I can not reveal much more detail, without giving away the bug, which I will not do, since I think this information is so valuable to Netscape that it should be worth a good deal of money. The information is certainly worth a bit on the free market, and I am currently awaiting responses from other parties. In other words I think the person most suited for handling this, is someone in charge of the company check book (-; Regards - Christian --- Subject: final note on Navigator bug Date: Mon, 9 Jun 1997 23:07:59 +0200 From: Christian Orellana To: stracy@netscape.com (Shannon Tracy) Netscape: I think my approach to you on this subject has been fair and serious. I am offering you a piece of information that I consider of very high value. The implications of the bug mentioned in previous emails are immense. Considering the widespread use of home-banking software, not to mention the impact on multiuser systems in the government and corporate sector, like unix and NT environments, where access to the encrypted password-files would render the systems extremely vulnerable, I think all pre Communicator versions of Navigator (supposing you fix the bug in Communicator) would be pretty useless. I will leave it to you to estimate what impact that would have on Netscape stocks. I have to inform you that David Gross at CNN is on hold with the news, and is only waiting for me to give him the final demonstration, to verify the bug. I must also inform you that CNN is not the only interested party, and that I will consider my options once I get Netscape's standpoint on the matter. I would be more than happy to give a demonstration of the bug, under controlled circumstances, but we would have to sign some sort of agreement first. Regards, Christian Orellana. --- Subject: Re: [Fwd: Major security bug in Netscape Navigator 3 and 4] Date: Thu, 12 Jun 1997 16:40:33 -0700 From:chrish@netscape.com (Chris Holten) Organization: Netscape Communications To:chrish@netscape.com References: 1 Subject: Major security bug in Netscape Navigator 3 and 4 Date: Mon, 9 Jun 1997 19:19:13 +0200 From: Christian Orellana To: stracy@netscape.com Hello! We have discovered a major security bug in Netscape Navigator 3.0, which remains uncorrected in the new Communicator release. The bug affects Navigator running on all platforms in the standard configuration. The bug allows access to any file on the clients file system, and does not affect Microsoft Internet Explorer. This bug is potentially very interesting to Netscape considering that the new release of Navigator is due in just three days. The bug has not previously been reported, and remains unknown to anyone but us (to the best of our knowledge). Please get back to us a.s.a.p. (before Netscape DevCon) if this knowledge is of any interest to you. You can reach me at the phone number below. I have tried to reach Netscape for a while now, and if Netscape remains uninterested in the issue I may contact some other interested parties. Yours sincerely, Christian Orellans --- Subject: Please confirm Date: Mon, 9 Jun 1997 20:14:08 +0200 From: Christian Orellana To: stracy@netscape.com Hello! Could you please confirm that you have received my previous letter. Also I would like to restate my claim that this is of the utmost importance for the upcoming launch of Communicator. The bug allows complete read access to the clients hard disk. Christian Orellana. For help on using this list (especially unsubscribing), send a message to "dcsb-request@ai.mit.edu" with one line of text: "help". --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/